Reports

Volume 6, Issue 4 September 15, 2011

Download PDF Print Page

When Scammers Socialize

Typo Domains of Social Networking Sites Being Targeted by Scams

Imagine the following scenario: you sit down to check your Facebook account, open your browser, and begin typing in the domain name Facebook.com. But instead of “Facebook,” you accidentally reverse the “C” and the “E” and mistakenly type in Faecbook.com. You are greeted with the familiar blue and white background of Facebook’s login page, but instead of text boxes prompting you to type in your email and password, you see a message telling you that you are today’s winner, and may select a prize of either an iPad 2, a MacBook Air or an iPhone 4.

You click on a prize and end up on a screen prompting you to enter your email address in order to claim that prize. Typing in your email address leads you to a page requesting additional information. And then entering that information leads you to another page asking for information, and then another. Soon, you’ve given up your email, your physical address, your phone number and other identifying information. And you’re no closer to winning that iPad.

Background

Faecbook.com (“Facebook” with the E and C reversed) is just one of hundreds of examples of a scam that targets typographical variations of the domain names of popular social media platforms. Beginning in December, the FBI’s Internet Crime Complaint Center (IC3) “discovered misspellings of a social network site being used as a social engineering ploy,” according to its 2010 Internet Crime Report. The content hosted on these misspelled domains promises prizes in exchange for survey participation, but in reality is just a scheme to glean users’ personal information.

This type of scam is one particularly nefarious manifestation of typosquatting, the practice by which individuals seek to monetize or otherwise benefit from traffic generated by spelling or keystroke mistakes made by Internet users while they attempt to type in domain names to reach specific websites. Typosquatting costs businesses millions of dollars per year in diverted traffic to their websites, lost sales and wasted advertising revenues. Last summer, FairWinds found that the top 250 most popular websites lose $364 million per year to typosquatting. For social media sites, typosquatting can cause distrust among users and, ultimately, that distrust can lower users’ impression of the sites for allowing them to be exposed to this type of cybercrime. Moreover, as we see with this type of scam, typosquatting can lead to other harms such as identity theft.

Our Approach

As it became aware of this scam, FairWinds decided to investigate how prevalent it was across the most popular social media sites. We generated a list of typographical variations of the domain names of the top ten most visited social networking sites, according to Quantcast: Facebook, Flickr, LinkedIn, LiveJournal, MySpace, My Yearbook, Photobucket, Tagged.com, Twitter, and YouTube. Of all the typo variant domains, we analyzed those that are owned by a third party (i.e., not the target website’s owner), quantifying what portion hosted this scam. In total, we examined the content of 2,085 domain names that were typographical variations of those ten social networks’ domain names.

Key Results

Of those 2,085 typo domains that we analyzed, we found that 281 hosted this type of information-stealing scam. That amounts to over 13 percent. That number may seem low, until one considers the fact that many of the typo domains receive significant amounts of traffic: by FairWinds’ calculations, the 281 typosquatted domain names in this study that resolved to a social survey scam, receive 48,940,620 unique visitors per year. One typo domain that hosts this social scam, Yotube.com (YouTube without the “U”) receives over 19 million visitors per year. That figure, however, pales in comparison to others. In late June, Facebook recovered one of the typo domains, Facebok.com, after a lengthy lawsuit. According to Facebook’s own SEO team, that domain alone receives 250 million visitors per year.

Compare that figure to the traffic that the remaining 1,804 domain names, which do not host this scam, receive: according to our calculations, those domains receive 25,078,099 visitors per year, in total. In other words, a mere 14 percent of the domains in our study receive almost twice the amount of traffic as the other 86 percent. This means that the criminals behind this scam are savvy enough to target only those domain names that Internet users frequently type into their browsers.

The scam that is being hosted by these domains takes two forms. One form is a survey that offers an “exclusive gift” as a thank you for participating. Fac4book.com (a 4 in place of the E) is an example of this version of the scam (please see the screenshot in Figure 1 below).

figure1

Figure 1: A screenshot of Fac4book.com  [+]

The other form displays a group of prizes, usually three gift cards or products, and clicking on one of them leads the user to questionnaire page. Photobukcet.com is an example of this version (please see the screenshot in Figure 2 below). Despite their differing appearances, both scams have the same goal: they both promise rewards while systematically stealing Internet users’ personal information.

figure2

Figure 2: A screenshot of Photobukcet.com  [+]

By far, the social network that is most plagued by this survey scam is Facebook, with 96 typo variations of its domain name, Facebook.com, hosting this type of scam. Those 96 typos expose six million visitors to this scam annually, by our estimations. The next highest site is YouTube, with 57 typo domains hosting the scam, exposing over 38 million visitors annually. For the most part, the trends in which social networks are most targeted by this type of scam are the most popular sites in terms of how much traffic they receive. Facebook, YouTube, Twitter, LinkedIn and MySpace receive the five highest amounts of visitors of all the social networks in our typosquatting studies, and they are also the five with the greatest numbers of typo domains that host this survey scam. For a breakdown of all ten sites, please see Figure 3 below.

figure3

Figure 3: A breakdown of which social networking sites are most impacted by this scam  [+]

The IP Hosting Connection

Over years of researching the domain name space, FairWinds has found that actors who engage in cybersquatting do so for profit, which is why it is so common to see those domains hosting pay-per-click (PPC) advertisements (the domain owner receives a portion of the click-through fees). So while the business model behind hosting these social survey scams is not obvious, it is logical to assume that the owners of these domain names profit from hosting the scam in some way.

Curiously, many of these typo domains share the same IP host and even the same IP address, although they list different registrants and registrars (see Figure 4 below). One IP host responsible for 19 of the scam-hosting typo domains is actually Oversee.net, the parent company of Moniker.com, an ICANN-accredited registrar – a “top-ten” registrar, according to its website. The most prevalent IP host that we identified in this study, hosting 73 typo domains, is Secure Hosting Ltd, an offshore hosting service provider based in the Bahamas.

figure4

Figure 4: Breakdown of IP Hosts that host social scam domain names  [+]

The owners of these domain names vary widely. Some registered these typo domains as recently as 2011, whereas a small handful have owned their domains since before the social networks even existed (please see Figure 5 below). Many registrants hide behind Privacy registrations, whereas others, unsurprisingly, provide blatantly false WHOIS information. Some list the domain name itself as the “registrant”; one even just listed “993.”

figure5

Figure 5: Domains in our study by year of registration  [+]

Unfortunately, what is unclear here is how the bad actors behind this social survey scam convinced the registrants of these typo domains to switch from however they were previously using the domains to start hosting the scam, and what incentives they provided to do so. As mentioned previously, these particular typo domains are among the highest trafficked typos of these popular social networks; it stands to reason, therefore, that the registrants were making some amount of money from hosting PPC ads on the domains. Presumably, the monetary compensation for hosting the social survey scam was greater than what PPC ads could generate, otherwise there would likely be little incentive for the registrants to switch.

The FairWinds team attempted to contact one of the owners of some of the domain names that host this social survey scam, posing as another typo domain owner looking to get involved with this “program.” The domain owner was very hesitant to divulge information about the program, but he did indicate that the parties that run it only look for the biggest, most highly-trafficked typos (an assertion that is corroborated by the findings of this study). He also hinted that his personal portfolio of domain names, the majority of which are enrolled in the survey model, earns him around $250 per day, a total of $90,000 per year in passive income. Unfortunately, when pressed for additional details, the domain owner terminated contact with us.

While we cannot guess how much money this person was earning when he was using his social network typo domains to host PPC ads, it was almost certainly less than $250 per day. Because the social networks in our study do not use paid search, the click-through conversion rate would be low, and the click fee that a typosquatter would receive from an Internet user clicking on the PPC link would also be very low, especially compared to a link for an e-commerce site, for example.

The Impact on Internet Users

While it is disappointing that we were not able to find out more about the origin behind and mechanics of this social survey scam, it does not require an undercover FairWinds Associate to recognize the harm that these typosquatted sites can pose to consumers. We followed the survey prompts beginning on Facebbook.com, which promised a free MacBook Pro, iPad or Walmart gift card. After asking for an email address, physical address and phone number (which we filled out with made-up information), the site linked out to other merchants asking for this personal information again. The email address we set up to use when filling out these surveys is already laden with spam and what appear to be more than a few phishing attempts.

What Social Networks Can Do about This

While security experts can urge Internet users to be savvy, and to avoid suspicious-looking websites, the social networks that are being targeted by this scam can take an active role in protecting their users as well. They can attempt to reclaim these domain names, which are flagrantly cybersquatted, through the Uniform Domain Name Dispute Resolution Procedure, under the U.S. Anticybersquatting Consumer Protection Act (ACPA), or by other means.

Facebook recently took a stand against typosquatting in a lawsuit against 25 defendants over a barrage of typosquatted domains. The lawsuit included 104 domain names, 29 of which were identified in our study as having hosted the social scam. In one legal action, Facebook could potentially recover 30 percent of its typo domains that are exposing its users to harm. Other sites like Twitter, YouTube and LinkedIn should consider pursuing similar actions, both to protect their users and also to protect their own brands. Because the relatively small number of domain names in this study receive a high proportion of the total typosquatting traffic for their respective sites, with the right strategy, these social networks can protect large volumes of users with minimal effort and resources.